Skip to main content
qqh452821000
qqh452821000
New Member
July 23, 2019
Question

How to do route-policy with VPN?

  • July 23, 2019
  • 1 reply
  • 6322 views

Hi everyone,

 

We have a fortigate-200d running V5.4.5 here.

And we have two default-route.

  

We also have some VPNs. 

Here is what I want to do :

corp vlan5 's traffic go wan2 ,other traffic except VPN go wan1, How to do that ?

 

Here are my route-policy:

 I can't do a route-policy like this :

!

set input-device "corp vlan1" set src "0.0.0.0/0.0.0.0" set dst "0.0.0.0/0.0.0.0" set gateway wan1_IP set output-device "wan1" next

!

Because all the VPN traffic will down...

 

 

Thank you for any answers..

    1 reply

    scan
    scan
    Explorer
    July 23, 2019

    Hi 

     

    The easiest solution will be an upgrade to Version > 5.6.0 . In the newer versions has an SD-WAN option which you can configure your requirement and the Fortigate do the stuff in the background:

     

    https://docs.fortinet.com/document/fortigate/5.6.0/cookbook/597321/redundant-internet-with-sd-wan

     

    Otherwise I would try the following:

    1. Create a default route as static route which is the gateway for the most of your subnets

    2. Create dedicated policy based routing entries for the exceptions

     

    Remember: Policy based routing should be an exception. and befor use it think clearly about it! It makes the troubleshooting more complex.

     

    Cheers

    qqh452821000
    qqh452821000Author
    New Member
    July 23, 2019

    Thank you for your reply.

     

    I have tried that before.

    If that it is only one default-route in the routing table. And I created a policy-route for the exceptions but it didn't work..I think that the exception need the other default-route ,but that route is not in the table..

    scan
    scan
    Explorer
    July 23, 2019

    Ok, the following should work:

     

    config router static

    edit 1

      set gateway wan2_IP

      set device "wan2"

     

    config router policy

    edit 1

      set input-device "corp1_vlan"

      set src "10.64.0.0/255.255.255.0"

      set dstaddr "all"

      set gateway "wan1_IP"

      set output-device "wan1"

     

    Afterwards you can check with the debug flow command with route and firewall Policy match the traffic:

    diagnose debug flow filter addr <client_IP>

    diagnose debug enable

    diagnose debug flow start 5 # record first 5 sessions

     

    If the traffic allowed you can use the packnet sniffer to get the outgoing device:

    diagnose sniffer packet any 'host <client_IP>' 4

     

     

    Terms & ConditionsAccessibility statement